We've noticed an issue on one of our servers - an important service we need (IBSERVER, which is an Interbase Database Service) - keeps failing, and it seems to coincide with multiple logons of the same logon which happens sporadically throughout the day. What makes matters worse is that the logon username has administrative rights and has been used throughout our environment (regionally) so I can't just reset the password or disable the account (please don't lecture me on this sort of thing - I completely understand Microsoft's recommendations for admin accounts but I can't speak for the rest of the national team).

Anyway to cut a long story short, the logons are promptly followed by a log off.. all within the same second we get the following event IDs - 540,576,538

There are numerous other 'normal' logons on the server all through the day but this logon is particularly worrying because it was happening a lot on a Sunday when no IT staff would be around, so it's either one of our own automated systems using those credentials, or it's a software interface (there are a few connecting back to that server), or (god forbid) it's something or someone nefarious (a virus or whatever).

So I'm wondering is there a way to check which hostname or IP these logons are coming from ? should I write a short logon script to log to a text file ? or is there a better way ? I need to figure out why this logon is happening so often in order to fix our other system.

please post error message from event log, i cannot attribute any hotfix to particular problem if i do not see event.
latest netlogon hotfix includes all others which in turn may or may not fix your domain authentication issue. you need to apply it on machines where logon failures are logged, not more.

Are you sure it's an authentication issue ? it's not a domain controller, and the event IDs I listed above are information events, not error events. The user gets logged in and then logs off. There's no error message as such, except the event ID 281 with the Interbase Guardian service failing at more or less the same time as the logon event.

ERROR - EVENT ID 281 (application log)
-------------------------------
The description for Event ID ( 281 ) in Source ( InterBase Guardian ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.
If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s Abnormal Termination: C:\Program Files\Borland\InterBase\bin\ibserver.exe: terminated abnormally (-1).

at the exact same time, three successful events appear in security log:
-----------------------------------------------------------------

Here's the error below in more detail (I can't see what difference it makes)

Also can you explain why you think that the KB page link you sent me (event ID 529) is related in any way ?
---------------------------------------------------------------------------------------

Event Type: Error
Event Source: InterBase Guardian
Event Category: None
Event ID: 281
Date: 20/02/2011
Time: 14:42:09
User: N/A
Computer: obscuredforsecurity
Description:
The description for Event ID ( 281 ) in Source ( InterBase Guardian ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.

If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s Abnormal Termination: C:\Program Files\Borland\InterBase\bin\ibserver.exe: terminated abnormally (-1).

authz is suspected source of event 540
thus hotfix describes that you may experience problems without it if impersonating user is outside domain.
interbase error makes little sense... is there any interbase log where you can find more details?

I will look into the interbase error - I'll see if I can find some log file somewhere.
as for hotfix, I will apply as soon as possible and see if it makes any difference. I forgot to mention that apparently this problem only started in the last few weeks. the error actually only happens every few days. I've attached a screenshot of the timing of the error.

I've attached an interbase log file (partial) - all day today and all previous days there seem to be an error 10054 message coming up (it's appearing with every single citrix logon it would seem). After doing some quick research, it seems like a network issue maybe:

Original developer is gone bust.... but we're in healthcare so we can't just discontinue using the app. We have a consultancy firm looking at it but to be honest they're leaving a lot of this on me, even though I'm not highly trained in any of this stuff. But I'm sure we'll probably figure it out soon. I will keep you posted with info re hotix etc

1st tool:
MSVCRT 70 may point to w2000 compatibility mode
71 to XP
60 to NT4
i.e see what modules are being loaded and if there are no two versions of same module in path
2nd tool:
you cn see in which module there is a stuck thread, analyze with (1) again
3rd
catches crash and you can find crashing module

e.g:
app x loads DB driver dll which has msvcrt in its own dir and then uses same module from system dir - memory image content is non-determinable, and app crashes sooner or later.

Good luck in debugging, tell me if you need more assistance.

general advice is to make single application use same copy of same .dll at all times, preferably one in system32 directory.

Sorry man, that's way above my head. I might leave it to the consultancy firm.. I'll push them to analyse the problem themselves instead of dumping it on me. Third party software is a pain in the &£^$&^$

unfortunately I think I will have to leave number 3 to the consultants because I'm not a C++ or C# or even a Delphi developer ( I'll stick to PHP ) and I'm not sure how the program works.

At the moment there are no errors or warnings in the event log since at least the 24th of February. It must have been some problem at the specific time in the logs. Thanks for your help but I'm not sure I'm going to figure this out through looking at the app. I've a feeling the logons in the event viewer can be attributed to one or more of the other 'interfaces' that connect back to the firebird database. The original software company created a few of these 'interfaces' that pump data in and out of the database to integrate with other softwares. I should be able to track it down eventually. Your steps 1, 2 and 3 I would imagine will come in very useful for troubleshooting a lot of software problems, so thank you.

Also, do you have any idea how to answer my original question - i.e. is there any way to track past logons from the specific user that was appearing in the event viewer - back to a hostname (point of origin)

Yes I realise your recommended tools are better but as I've said, I cannot restart the software while it is running, it is important to keeping our X-Ray department functioning. I think I'm going to have to just close this question off and give you the points. I'm not really allowed to start renaming DLLs etc on major systems - I'll leave it to the software consultants.

Wait
Do static analysis on binary with depends.exe
If you discover dual msvcrt you can plan 2x5min downtime to resolve and/or revert in case of failure.
That program crashing is real pain in the a--.
Can you repeat crash in non-production vmware? It could be a good starting point for debugger.
Once you make it stable everybody will thank you.

You can see the result immediatly - if app does not load apphelp.dll it runs in native mode (as microsoft wants it to be)
Give it a try... Ask some doctor for test case when it crashes, it might give you volunteer to attach debugger and test the solution.

Mistake was done by letting app in compatibility mode in production. You can only correct it. It cannot get worse.
BUT write down what you plan to do and ask somebody to watch if you do it right.

I think consultants outside microsoft or interbase official support cannot help much
Do paperwork - really, if after 2 years you will go for w2008 R3 you know what i mean...
I ask moderators to call more attention to this question.

Suggested Solutions

Installing a printer using group policy preferences is not that hard let’s take a look at it.
First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…

[b]Ok so now I will show you how to add a user name to the description at login. [/b]
First connect to your DC (Domain Controller / Active Directory Server)
SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME
1. Open Active …

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller.
Log onto the new domain controller with a user account t…